Jump to content


Photo

aAaAaCCkkkk...please review my log


  • This topic is locked This topic is locked
16 replies to this topic

#1 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 09:56 AM

Apologies in advance if I'm doing this wrong, but the FAQ seems to be incorrectly linked above.

Sometime in the past couple of days I got hijacked on my work PC, and my small company's tech guy is useless in this field, I had to explain what spyware was to him...I've been running AdAware and SpyBot S&D and CWShredder...they say they're getting rid of stuff, but if I run it an hour later, or after a restart, all the junk is back on it...every once in awhile some IE browsers will suddenly launch and give the barrage of (click OK to download this and that). The most irritating thing is how much it slows down trying to launch Word or Excel files, what used to be instantaneous now has a 5 second lag or so, which really adds up when you deal with those files constantly all day.

Anyway, here's my hijackthis log -

Logfile of HijackThis v1.97.7
Scan saved at 10:47:55 AM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\winnt\temp\qbo.exe
C:\WINNT\system32\geadbc10.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINNT\system32\wcpsvsu.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\QjzZ.exe
C:\WINNT\system32\QjzZ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\edit.TRACEY-OXY6F1CY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Olive System] C:\WINNT\system32\suchost.exe
O4 - HKLM\..\Run: [qbo.exe] C:\winnt\temp\qbo.exe
O4 - HKLM\..\Run: [4TR6MJ74BNLRW4] C:\WINNT\system32\JwqVfC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [qs3Q39P] geadbc10.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvsu.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\edit\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\edit\Client\HelpExp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8113.5255092593
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Thanks in advance, oh wise spyware killers...

#2 Kevin_b_er

Kevin_b_er

    Gliding through the clutter

  • Retired Staff - Helper
  • Pip
  • 36 posts

Posted 19 May 2004 - 10:44 AM

Move hijackthis to a folder where hijackthis can make backups in the same directory.

You're infected with the peper virus, get the peper removal tool:
http://downloads.sub....org/uninst.exe

Find something called 'helpexpress', 'alset' or 'aveo' in your add/remove programs, and uninstall it.

Reboot


Then check
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\edit\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\edit\Client\HelpExp.exe
O4 - HKLM\..\Run: [Olive System] C:\WINNT\system32\suchost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [qbo.exe] C:\winnt\temp\qbo.exe
O4 - HKLM\..\Run: [qs3Q39P] geadbc10.exe
O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvsu.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Unnecessary, check as you wish:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboo
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Next, reboot into safe mode and find and delete these:
C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
C:\WINNT\system32\wcpsvsu.exe
C:\WINNT\system32\suchost.exe
C:\WINNT\geadbc10.exe ----\ will be one
C:\WINNT\system32\geadbc10.exe ----/ of these
C:\winnt\temp\qbo.exe
C:\WINNT\system32\dp-him.exe

Restart again, and run hijackthis again. Make a new log and reply to this topic with that new log.

Edited by Kevin_b_er, 19 May 2004 - 10:45 AM.


#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 10:45 AM

Hi,
First do a Purity (trojan) scan uninstall
http://www.puritysca.../uninstall.html

Next, uninstall HelpExpress Via Add Remove.

After the above ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...

[Question]
Why have a (another) pop-up blocker when the one from the Google Toolbar will do?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 11:58 AM

Thank you for your attention and help, it is greatly appreciated.

[question answer] I run the two pop-up blockers because, well, I'd installed Popup Manager awhile before I'd installed the Google toolbar, and I like how Popup Manager works, so I just keep using it.

[notes]
a) At no point have I found 'helpexpress', 'alset', or 'aveo' in my "add/remove programs" option...however, I do have 'coupons and offers' in there which it will not let me remove.
B) I did not have a file C:\WINNT\system32\dp-him.exe, at least not after checking it on hijackthis.

[fresh log]

Logfile of HijackThis v1.97.7
Scan saved at 12:53:09 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\QjzZ.exe
C:\WINNT\system32\Bio9fQ88.exe
C:\Documents and Settings\edit.TRACEY-OXY6F1CY\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [4TR6MJ74BNLRW4] C:\WINNT\system32\JwqVfC.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8113.5255092593
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 02:33 PM

Hi,
[Uninstall Peper Trojan] (making sure you're on line)
http://mjc1.com/file...ts/drpeper.html

Reboot and then ...


I do have 'coupons and offers' in there which it will not let me remove

Start | Run (type) "regedit" (no quotes)
Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

Look in the left pane for: "coupons and offers"
Highlight the key right-click and select: Delete
Note: always Export before editing ...

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 02:50 PM

Thanks so much.
Latest log:

Logfile of HijackThis v1.97.7
Scan saved at 3:49:43 PM, on 5/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\Ljp6O9N5.exe
C:\WINNT\system32\HuhTcA.exe
C:\Documents and Settings\edit.TRACEY-OXY6F1CY\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [4TR6MJ74BNLRW4] C:\WINNT\system32\Trx6w9V5.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8113.5255092593
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 03:43 PM

Hi,
Start | Run (paste the below into the Run box)

regedit /e c:\pup.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup


Note: the above is all one line

Locate and paste the contents of "pup.txt"

Edited by WinHelp2002, 19 May 2004 - 03:45 PM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 19 May 2004 - 04:03 PM

I pasted that line into the "run" box and...nothing obvious happened.

I then did a search for pup.txt and found nothing.

#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 05:39 PM

Hi,

I pasted that line into the "run" box and...nothing obvious happened.

Ok, no problem ... just trying to eliminate possible culprits.


Download: WinpupFinder.zip
http://www10.brinkst...unk/winpups.htm
Unzip, and double-click the included "WinpupFinder.bat"
Generates: "winpups.txt", post the contents in your next post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 07:36 AM

winpups.txt is a blank document.

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 May 2004 - 09:18 AM

LuckyATB,
Bear with me, I'm still trying to determine the cause\origin of the trojan that is still running on your system.

Try this: run the Peper uninstaller again twice, reboot after each run.
Note: make sure you are "online" each time.

After the above, paste the below into IE's Address Bar and include this info in your next post along with a fresh log ...

java script:navigator.userAgent


Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 09:39 AM

No sweat, m'man, I'll bear with you 'til the end...I'm just psyched someone's helping me out.

Internet explorer reads: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

New HJT log follows:

Logfile of HijackThis v1.97.7
Scan saved at 10:38:21 AM, on 5/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\Ljp6O9N5.exe
C:\WINNT\system32\WtoJ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\edit.TRACEY-OXY6F1CY\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [4TR6MJ74BNLRW4] C:\WINNT\system32\Trx6w9V5.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8113.5255092593
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 May 2004 - 10:02 AM

LuckyATB,
Well ... let's try this manually ...

1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\WINNT\system32\Ljp6O9N5.exe <--this file
C:\WINNT\system32\WtoJ.exe <--this file
C:\WINNT\system32\Trx6w9V5.exe <--this file

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

O4 - HKLM\..\Run: [4TR6MJ74BNLRW4] C:\WINNT\system32\Trx6w9V5.exe

Restart normally and then post a fresh log ...

Note: I don't see any Antivirus running?
Try this: AVG 6.0 Anti Virus [freeware]
http://www.grisoft.com/
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#14 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 10:30 AM

Yeah, I know about the lack of AntiVirus software...I just got this PC a week or so ago (reformatted used) and when I first discovered this torjoan problem, my corporate computer guy noticed our standard-issue Norton Corporate wasn't installed...but he couldn't immediately find the disc to install it from and he has yet to come back and do it. As soon as we get this issue cleared up I'm going to be all over him about it.

New log:

Logfile of HijackThis v1.97.7
Scan saved at 11:27:57 AM, on 5/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\edit.TRACEY-OXY6F1CY\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8113.5255092593
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 02:19 PM

Does the lack of response mean I'm all set? I've noticed my PC isn't getting bogged down anymore.

#16 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 May 2004 - 03:19 PM

LuckyATB,
Your log looks clean now ... good job!
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#17 LuckyATB

LuckyATB

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 May 2004 - 03:24 PM

You're the BEST...thanks a million. I've installed all the prevention programs on this site so's I hopefully won't have to bother y'all again.

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button